Millions of IoT devices are hackeables due to weaknesses in RSA encryption

A couple of months ago, the EUtoday website published an ethical hacking report on the security of RSA certificates, mentioning that, while this is a secure algorithm (based on calculation with prime numbers), its misuse would allow the generation of vulnerable or fake certificates, which could lead to multiple security issues. These issues also affect Internet of Things (IoT) devices, as using fake certificates could allow an attacker to deploy distributed denial of service (DDoS) attacks, information theft, and other malicious activities.

RSA certificates are an example of public key cryptography. This method uses two different encryption keys: a private key and a public key. The private key is used to decrypt messages or generate digital signatures, while the public key can encrypt data or verify digital signatures. This method is safe as long as an attacker does not know either of the two factors used for RSA calculation.

However, ethical hacking specialists consider this assumption will not always be valid, as demonstrated in a study of 75 million public RSA keys, one in 172 of these keys share a common factor.

These common factors represent a serious security issue for RSA keys, as they could allow a threat actor to determine the two prime factors used in the calculation. This information would help to derive the private key associated with the public key. In the study, researchers managed to find the private keys for more than 435k out of the 75 million RSA keys analyzed.

In their report, ethical hacking specialists attribute this security weakness to the continued growth of IoT device use, as they have reduced entropy and significant energy constraints. It should be noted that entropy is a fundamental factor in generating a secure random key; since these devices generate the same random numbers frequently when they try to identify prime numbers to use in RSA certificates it greatly increases the chance that these certificates will share a prime value, becoming vulnerable to attack.

According to the International Institute of Cyber Security (IICS), it is vital to address these security risks, as we can currently find IoT devices in virtually every home in the world, so their use for malicious purposes could expose millions of users.